CyberSip™ — Issue 61 — June 12, 2026

Today’s picture

Mandiant and Google’s Threat Intelligence Group published analysis on June 11 confirming that ShinyHunters exploited CVE-2026-35273, a CVSS 9.8 unauthenticated remote code execution flaw in Oracle PeopleSoft, as a zero-day between May 27 and June 9. Oracle did not issue its advisory until June 10, meaning every organisation hit during that 14-day window had no patch and no vendor warning. Over 100 organisations were breached, 68 percent of them universities, including the University of Nottingham which had 40GB of student and billing data stolen and published. Nightmare Eclipse released GreatXML on June 10, a second unpatched BitLocker bypass that exploits the Windows Defender Offline Scan feature to spawn a SYSTEM shell in Recovery Mode. Combined with RoguePlanet from the previous day, an attacker with physical access to a Windows machine now has two concurrent unpatched paths. ServiceNow updated its breach advisory on June 12, attributing the suspicious API activity to researcher testing rather than malicious exploitation.

Threat snapshot

3 items · 2 monitoring

PeopleSoft CVE-2026-35273 / 100+ orgs breached / zero-day GreatXML / unpatched BitLocker bypass ServiceNow / breach attribution updated 3 items this issue

June 11Oracle PeopleSoftZero-Day100+ Orgs Breached

ShinyHunters exploited Oracle PeopleSoft CVE-2026-35273 CVSS 9.8 as a zero-day for 14 days. Oracle issued its advisory after the campaign ended. Over 100 organisations breached, 68% universities.

Mandiant and Google GTIG published a joint analysis June 11, the day after Oracle’s advisory. The Environment Management Hub endpoint requires no authentication and no user interaction to exploit over HTTP. The University of Nottingham had 40GB of student records and billing data stolen and published after refusing to pay. ShinyHunters says outreach to victims has only just started.

June 10WindowsNo Patch

GreatXML: Nightmare Eclipse’s eighth zero-day. Unpatched BitLocker bypass via Windows Defender Offline Scan. Any system that has ever run an offline scan is reportedly vulnerable.

Place two XML files on the recovery partition and reboot into WinRE to get a SYSTEM shell with unrestricted access to the BitLocker volume. Requires physical access. Combined with RoguePlanet from the previous day, an attacker has two concurrent unpatched Windows attack paths. Microsoft has not assigned a CVE.

UpdatedServiceNow

ServiceNow updates its breach advisory on June 12, attributing the suspicious API activity reported in Issue 60 to researcher testing rather than malicious exploitation.

ServiceNow’s revised advisory states the activity observed on June 2–3 has been attributed to authorised security researcher activity. The company maintains the endpoint has been secured. The revised attribution changes the customer response calculus from Issue 60.

Detailed intelligence

Full analysis

01 Oracle PeopleSoft Zero-Day 100+ Orgs

ShinyHunters exploited Oracle PeopleSoft as a zero-day for 14 days before Oracle issued any advisory. Over 100 organisations breached. 68% of victims are universities.

CVE-2026-35273 · CVSS 9.8

The flaw is in the Environment Management Hub component of PeopleTools 8.61 and 8.62. No authentication and no user interaction required. Mandiant and Google GTIG published their joint analysis on June 11, one day after Oracle’s emergency advisory. The campaign ran from May 27 to June 9 with stolen data published on ShinyHunters’ data leak site the same day it ended.

Executive Impact

If your organisation runs Oracle PeopleSoft, block all external internet access to the Environment Management Hub endpoint immediately. Apply Oracle’s emergency advisory. Audit access logs for activity between May 27 and June 9, specifically unusual requests to PSEMHUB, unexpected outbound SSH connections, and data compressed with zstd. PeopleSoft typically holds HR records, payroll data, student records, and billing information. If the Environment Management Hub was internet-accessible during the campaign window, treat the instance as potentially compromised.

Don’t Miss

ShinyHunters has made a visible pivot in this campaign. Their prior operations leaned on social engineering, stolen tokens, and weak SaaS access controls, most recently the Canvas breach in May. Exploiting a server-side zero-day in on-premises ERP software requires meaningfully more capability. Mandiant’s analysis notes that the attacker’s staging infrastructure, hosted across a cluster of IP addresses at 142.11.200.186 through 190, was left exposed with open directories showing tooling, payloads, and command histories. That operational security failure is the same pattern seen with PCPJack in Issue 54 and gives defenders a detailed picture of the attack chain. The open question Mandiant raises is whether this zero-day was a one-off acquisition or whether ShinyHunters is actively moving into ERP exploitation as a sustained capability.

CyberSip Take

Oracle issued its advisory the day after the campaign ended and the stolen data was published. Every victim organisation was dealing with a zero-day the entire time they were compromised. The pattern from CVE-2026-0257 and Netlogon repeats: vendor confirmation lags actual exploitation. For any internet-facing ERP component, the working assumption should be that exposure starts at network reachability, not at vendor advisory. Lock the PSEMHUB endpoint now, apply Oracle’s patch, and audit the May 27 to June 9 window regardless of whether exploitation has been confirmed in your environment.

What happened

Mandiant and Google Threat Intelligence Group published a joint analysis on June 11 of an active compromise and extortion campaign attributed to UNC6240, the group tracked publicly as ShinyHunters. The campaign exploited CVE-2026-35273, a critical unauthenticated remote code execution vulnerability in the Environment Management component of Oracle PeopleSoft Enterprise PeopleTools, between May 27 and June 9, 2026. Oracle published its emergency advisory on June 10, the day after the campaign concluded and stolen data appeared on ShinyHunters’ data leak site.

CVE-2026-35273 sits in the Updates Environment Management component, specifically the Environment Management Hub endpoint (PSEMHUB). No authentication is required and no user interaction is needed: a network-accessible PSEMHUB endpoint is sufficient for exploitation over HTTP. Affected versions are PeopleTools 8.61 and 8.62. Oracle notes that earlier unsupported versions are likely also vulnerable.

Mandiant notified over 100 global organisations whose IP addresses correlated with potentially vulnerable exposed endpoints. Of those organisations, 68 percent were universities and academic institutions, most in the United States. ShinyHunters told The Register that the University of Nottingham was among the first publicly confirmed victims, with 40GB of student and billing records stolen and published after the university declined to pay the extortion demand. ShinyHunters stated that victim outreach was still ongoing at time of reporting.

The attackers’ staging infrastructure was exposed: open directories on servers at 142.11.200.186 through 190 contained tooling, payloads, and command histories that allowed Mandiant to reconstruct the attack chain in detail. Exfiltrated data was compressed using zstd and transferred via outbound SSH to 176.120.22.24, the IP hosting the ShinyHunters data leak site mirror.

Recommended actions

Block all external internet access to PeopleSoft Environment Management Hub (PSEMHUB) endpoints immediately. This removes the unauthenticated attack surface regardless of patch status.
Apply Oracle’s emergency advisory and patch for CVE-2026-35273. Monitor My Oracle Support for availability for your specific PeopleTools version.
Audit PeopleSoft access logs for activity between May 27 and June 9 for unusual requests to PSEMHUB endpoints, unexpected outbound SSH connections, and data transfers compressed with zstd.
If your PSEMHUB endpoint was internet-accessible during the campaign window, treat the instance as potentially compromised and engage your incident response process.

Derived from The Hacker News, The Register, Security Affairs, and Google Cloud Blog reporting on CVE-2026-35273, June 11–12, 2026.

02 Windows No Patch

GreatXML: Nightmare Eclipse’s eighth zero-day. BitLocker bypass via Windows Defender Offline Scan. Any system that has run an offline scan is reportedly vulnerable. No CVE, no patch.

GreatXML · No CVE Yet

Released on June 10, one day after RoguePlanet, GreatXML exploits how Windows handles recovery boot configurations and unattended setup files when the Defender Offline Scan feature has been used. An attacker with physical access can spawn a SYSTEM shell with unrestricted access to a BitLocker-protected volume by placing two XML files on the recovery partition and rebooting into Windows Recovery Environment.

Executive Impact

GreatXML requires physical access, making laptops, unattended workstations, and shared-access devices the primary risk surface. The researcher states any system that has run a Defender Offline Scan at least once is vulnerable, though acknowledges the conditions have not been fully mapped. Combined with RoguePlanet from the previous day, an attacker with local execution on a Windows device and physical access can escalate privileges and bypass BitLocker with no patches available for either. Monitor MSRC for CVE assignment and an out-of-band fix.

Don’t Miss

YellowKey, the previous BitLocker bypass from Nightmare Eclipse, was patched in this week’s Patch Tuesday as CVE-2026-50507. GreatXML is its replacement, disclosed the same day YellowKey was patched. The researcher has consistently timed releases to coincide with or immediately follow Patch Tuesday, maximising the window during which no patch is available. The broader series now stands at eight zero-days since April: BlueHammer, RedSun, UnDefend, GreenPlasma, MiniPlasma, YellowKey (now patched), RoguePlanet, and GreatXML. Microsoft has publicly condemned the uncoordinated releases and indicated it would involve law enforcement if customers suffered real harm. Microsoft has not yet assigned a CVE to GreatXML.

CyberSip Take

RoguePlanet and GreatXML on consecutive days, both unpatched, one targeting Defender and one targeting BitLocker via Defender. The combination is the concern: local privilege escalation to SYSTEM followed by unrestricted access to encrypted volumes. Physical access is required for GreatXML, which limits the exposure to devices that can be physically reached. Organisations should review BitLocker deployment configurations and evaluate whether the recovery partition on managed devices is accessible in ways that could enable this technique. A MSRC patch is expected but timing is unknown.

What happened

Nightmare Eclipse, also known as Chaotic Eclipse, published the GreatXML exploit on June 10, one day after releasing RoguePlanet. The researcher described it as an accidental discovery that took four hours to find. The exploit targets the interaction between Windows Defender’s Offline Scan feature and Windows Recovery Environment boot configurations.

When a Defender Offline Scan has been initiated on a system, the presence of specific XML files on the recovery partition, namely unattend.xml and Recovery/WindowsRE/ReAgent.xml, causes WinRE to process them in a way that spawns a privileged shell with unrestricted access to BitLocker-protected volumes. An attacker with physical access places these files on the recovery partition, then reboots into WinRE by holding Shift while clicking Restart in the Windows power menu. The researcher notes that systems on which an offline scan has never been run may also be exploitable by first initiating the scan state, though this has not been fully investigated.

Microsoft has not assigned a CVE to GreatXML and has not published a patch or advisory as of today. The researcher published the proof-of-concept code on GitHub. The Cyderes Howler Cell team independently confirmed the technique. Unlike RoguePlanet, which is a local privilege escalation, GreatXML requires physical access to place the files and trigger the reboot.

Recommended actions

Monitor MSRC for a CVE assignment and emergency patch for GreatXML. Apply immediately when available, as with RoguePlanet.
Assess whether managed device configurations limit access to the recovery partition. Group Policy settings that restrict WinRE access or require BitLocker PIN entry before recovery mode may reduce exposure.
Prioritise physical security for laptops and devices containing sensitive data, particularly those in shared workspaces or frequently transported, as physical access is required to trigger GreatXML.

Derived from SecurityWeek, Security Affairs, The Register, and The Hacker News reporting on GreatXML, June 10–12, 2026.

03 Updated ServiceNow

ServiceNow updates its breach attribution. The suspicious API activity reported in Issue 60 has been attributed to authorised security researcher testing, not malicious exploitation.

KB3067321 · Updated June 12

ServiceNow updated its security advisory on June 12 attributing the API activity observed on June 2 and 3 to authorised security researcher activity rather than a malicious actor. The endpoint has been secured. This materially changes the customer response from Issue 60.

Executive Impact

If your organisation acted on the Issue 60 guidance and audited ServiceNow logs, that review is still a sound practice regardless of attribution. However, the immediate breach notification obligation assessment from Issue 60 should be revisited in light of ServiceNow’s revised position. Organisations that initiated formal breach notification processes based on the original reporting should review whether that determination holds under the updated attribution.

Don’t Miss

Attribution in security incidents is difficult and frequently revised. ServiceNow’s initial advisory described activity it characterised as a security incident. Its revised advisory attributes the same activity to researcher testing. The underlying facts, that an unauthenticated API endpoint was accessible, that API requests were made to customer instance tables, and that those requests came from an external IP, have not changed. What has changed is ServiceNow’s characterisation of who made the requests and why. Organisations running regulated workloads should document both the original advisory and the update, and apply their own judgement about whether the revised attribution satisfies their disclosure obligations, rather than relying solely on the vendor’s characterisation.

CyberSip Take

We reported the confirmed facts in Issue 60 as they stood at time of publication. The facts have been updated by ServiceNow and we are updating the brief accordingly. The endpoint is now secured. The breach notification question from Issue 60 should be revisited with legal counsel in light of the revised attribution. The timeline concern raised in Issue 60, that six weeks elapsed between a bug bounty report and a patch, remains unchanged and is worth noting regardless of how the activity is ultimately characterised.

What changed

ServiceNow updated its security advisory KB3067321 on June 12 to state that the suspicious API activity observed on June 2 and 3 has been attributed to security researcher activity rather than malicious exploitation. The company states the endpoint that was accessible without authentication has been secured and that the advisory has been updated to reflect this revised attribution.

The original advisory, published on June 9, described the activity as a security incident and confirmed that external requests had been made to customer instance tables via the REST API endpoint. The updated advisory changes the characterisation of who made those requests. ServiceNow has not detailed how it determined the activity was researcher rather than attacker traffic, nor whether the researchers involved were authorised by the affected customer organisations.

Recommended actions

Review the updated ServiceNow advisory KB3067321. If your organisation initiated a formal breach notification process based on the original reporting, assess whether the revised attribution changes that determination.
Document both the original and updated advisories. Regulated organisations should apply their own disclosure framework to the revised facts rather than relying solely on ServiceNow’s characterisation.

Derived from Cybernews update to ServiceNow KB3067321 reporting, updated June 12, 2026.

Still watching

Aging items · days 2–5

Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.

RoguePlanet Defender zero-day (Issue 59). No CVE, no patch. Works on fully patched Windows 11. Application allowlisting prevents execution. Monitor MSRC for emergency patch. Day 3

Cisco SD-WAN CVE-2026-20245 (Issue 56). Seventh zero-day exploited this year, no patch yet. Restrict CLI access to trusted administrators. Apply published IOCs. Patch immediately when released. Day 7

Cross-source standouts

Oracle knew about the PeopleSoft flaw after the campaign ended, not during it

CVE-2026-35273 was exploited as a zero-day from May 27 to June 9. Oracle published its advisory on June 10. Mandiant published its analysis on June 11. Every one of the 100-plus organisations that was compromised during those two weeks had no advisory to act on and no patch to apply. The pattern this brief has documented across CVE-2026-0257, CVE-2026-41089, and now CVE-2026-35273 is consistent: exploitation runs for days or weeks before vendors confirm it. For internet-facing ERP and management infrastructure the practical question is not whether a vendor has confirmed exploitation. It is whether an endpoint is internet-accessible and unpatched. The answer to that question determines the risk, not the advisory date.

Nightmare Eclipse has now patched and replaced a BitLocker bypass in the same week

YellowKey, the first BitLocker bypass, was patched on June 9 as CVE-2026-50507 in Patch Tuesday. GreatXML, the second BitLocker bypass, was published on June 10. Six of the researcher’s eight zero-days now have patches: BlueHammer, RedSun, UnDefend, GreenPlasma, MiniPlasma, and YellowKey. Two do not: RoguePlanet and GreatXML. The pace has not slowed and the targets remain the same: Defender and BitLocker, the two Windows security features most relied upon for endpoint protection and data encryption. That is not coincidence. It is a focused effort against the controls that matter most to defenders.